The issues identified in the latest UK government report create “long-term challenges” in securing the networks, according to the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board, which was set up in 2010 to provide security assurances around the use of Huawei equipment in Britain.

The centre is staffed by British security officials, including some from GCHQ, which signs off its annual reports.

The NCSC’s headquarters in Victoria. Credit: NCSC

Engineering weaknesses

Huawei responded that there were “some areas for improvement” and said it was working with the UK on the issues.

“We are grateful for this feedback and are committed to addressing these issues,” Huawei said. “Cyber-security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”

In the current year’s HCSEC report, released on Thursday, the centre said it has identified weaknesses in Huawei’s engineering processes that make it difficult for officials to ensure the security of the equipment running on British communications networks.

The equipment is widely used in the UK by companies including BT and Vodafone.

“Shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management,” the report states.

‘Limited assurance’

It adds that the areas of concern identified through the centre’s normal functioning mean that it can curently provide “only limited assurance” that risks to the UK’s national security from Huawei equipment are being successfully mitigated.

The issues in question relate to the centre’s ability to verify that the binary code actually running on Huawei equipment is identical to that produced by the source code evaluated by security officials and the lack of sufficient control over third-party software used in a variety of products, according to the report.

The report emphasised that the weaknesses uncovered show that HCSEC is functioning as it should, with its members working with Huawei to remedy the issues.

“NCSC (the National Cyber Security Centre) still believes that the assurance model including HCSEC is the best way to manage the risk of Huawei’s involvement in the UK telecommunications sector,” the report states. “The model is predicated on industry good practice security and engineering in Huawei.”

Long-term security

But the NCSC said it is “less confident” of HCSEC’s ability to provide “long-term” security assurance, due to the repeated discovery of “critical shortfalls”.

The report said “significant work” would be required to remedy the problems in the short and long term.

HCSEC’s past reports have all provided assurance that any national security risks from Huawei equipment were being successfully mitigated, and the withdrawal of that full assurance is a “big change”, according to an unnamed source cited by Reuters ahead of the report’s release.

The shift comes amid growing international tensions caused by trade barriers imposed by the US on a number of countries.

Countries including the US and Australia have also put increased pressure on Chinese firms such as Huawei and ZTE over national security issues.

Earlier this year the NCSC advised against the increased use of ZTE equipment in the UK, saying that it was already difficult enough to mitigate any risks from Huawei’s gear and that the addition of ZTE equipment “would present risk to UK national security that could not be mitigated effectively or practicably”.